TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages
A suspected TeamPCP-linked supply chain attack compromised multiple SAP CAP and Cloud MTA npm packages by injecting malicious preinstall scripts. The attack leverages a downloaded Bun runtime to execute an obfuscated payload that harvests extensive credentials from developer machines and CI/CD pipelines, exfiltrating data via attacker-controlled GitHub repositories and establishing persistence through VSCode and Claude AI configurations.
Authors: Socket
Source:
Socket
- domainaudit[.]checkmarx[.]cxThreat-actor-controlled domain used in prior TeamPCP-linked variants for telemetry and C2
- md535baf8316645372eea40b91d48acb067MD5 hash of the setup.mjs loader script
- sha2564066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34SHA256 hash of the injected setup.mjs loader script
- sha2566f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95SHA256 hash of the execution.js payload variant found in @cap-js/sqlite
- sha25680a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710acSHA256 hash of an execution.js payload variant
- sha256eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdbSHA256 hash of an execution.js payload variant
- urlhxxps://api[.]github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub&sort=author-date&order=desc&per_page=50GitHub commit-search dead-drop query used for C2 retrieval
Detection / Hunter
What Happened
A cyberattack has compromised several software packages used by developers building SAP cloud applications. Anyone who downloaded specific versions of these packages on or after April 29, 2026, may have had their passwords, cloud access keys, and source code stolen. This is highly dangerous because it targets the core tools developers use, potentially allowing attackers to breach company networks and cloud environments. Developers and security teams should immediately check if they used the affected packages, revoke any exposed passwords or tokens, and monitor their systems for suspicious activity.
Key Takeaways
- A supply chain attack compromised SAP CAP and Cloud MTA npm packages (mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite) via malicious preinstall scripts.
- The injected loader script (setup.mjs) downloads a Bun runtime to execute a heavily obfuscated payload (execution.js).
- The payload harvests extensive credentials from developer machines and bypasses CI/CD log masking by reading runner memory directly.
- Exfiltration and C2 are conducted via attacker-controlled GitHub repositories and the GitHub commit search API using dead-drop strings.
- Persistence is established by backdooring VSCode and Claude AI coding assistant configuration files.
Affected Systems
- Developer machines and CI/CD environments using SAP Cloud Application Programming Model (CAP)
- SAP Business Technology Platform workflows
- MTA-based deployment pipelines
- Windows, Linux, and macOS environments running npm
Attack Chain
The attack begins when a victim installs a compromised SAP CAP npm package, triggering a malicious preinstall script. This script acts as a loader (setup.mjs), downloading a Bun runtime from GitHub and using it to execute an obfuscated payload (execution.js). The payload checks for a Russian locale kill-switch, then harvests extensive credentials from developer files, cloud metadata endpoints, and CI/CD runner memory. Stolen data is encrypted and exfiltrated to dynamically created GitHub repositories, while persistence is established by backdooring VSCode and Claude AI configuration files.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules but recommends monitoring for suspicious access to cloud metadata services from package-installation or JavaScript runtime processes.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can monitor process ancestry (e.g., npm spawning bun or node), detect unauthorized file modifications in .vscode or .claude directories, and alert on access to sensitive credential files. Network Visibility: Medium — Network monitoring can detect connections to cloud metadata IPs (169.254.169.254) from unexpected processes, but exfiltration to GitHub is encrypted and blends with normal developer traffic. Detection Difficulty: Moderate — While the payload is heavily obfuscated and uses legitimate services (GitHub) for C2, the behavioral anomalies of npm downloading a Bun binary and accessing cloud metadata endpoints are highly suspicious and detectable.
Required Log Sources
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
- File System Logs (Sysmon Event ID 11)
- Network Connection Logs (Sysmon Event ID 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for package managers (npm, yarn) spawning unexpected runtimes like Bun or executing scripts that download binaries from GitHub. | Process Creation | Execution | Low |
| Search for JavaScript or Bun processes initiating outbound network connections to cloud metadata IP addresses (e.g., 169.254.169.254). | Network Connections | Credential Access | Low |
| Identify modifications to IDE configuration files (e.g., .vscode/tasks.json) or AI assistant settings (.claude/settings.json) by package manager processes. | File Modifications | Persistence | Low |
| Monitor for processes reading memory of CI/CD runner worker processes via /proc/<pid>/mem. | File Access / Process Monitoring | Credential Access | Low |
Control Gaps
- CI/CD secret masking bypass via direct memory reading
- Lack of egress filtering for cloud metadata endpoints on developer machines
Key Behavioral Indicators
- npm install triggering a download of bun-v1.3.13
- Creation of tmp.987654321.lock
- JavaScript processes reading /proc/<pid>/maps or /proc/<pid>/mem
- GitHub API queries containing 'OhNoWhatsGoingOnWithGitHub'
False Positive Assessment
- Low. The specific combination of npm downloading Bun, accessing cloud metadata, and modifying IDE configs for persistence is highly anomalous and unlikely to occur in legitimate workflows.
Recommendations
Immediate Mitigation
- Review dependency trees and lockfiles for mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2.
- Rotate any credentials, SSH keys, or tokens that may have been exposed in build or developer environments.
- Review CI/CD logs for unexpected network activity or binary execution during the exposure window (April 29, 2026).
Infrastructure Hardening
- Implement egress filtering to block access to cloud metadata endpoints (169.254.169.254, etc.) from non-essential processes or containers.
- Enforce strict dependency pinning and use lockfiles to prevent unexpected package updates.
User Protection
- Monitor developer endpoints for unauthorized modifications to IDE configuration files (.vscode, .claude).
- Use endpoint protection to detect and block unauthorized access to sensitive credential files (e.g., ~/.aws/credentials, ~/.ssh).
Security Awareness
- Educate developers on the risks of supply chain attacks and the importance of verifying package integrity before installation.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1105 - Ingress Tool Transfer
- T1027 - Obfuscated Files or Information
- T1614.001 - System Location Discovery: System Language Discovery
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1552.004 - Unsecured Credentials: Private Keys
- T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
- T1003 - OS Credential Dumping
- T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository
- T1546 - Event Triggered Execution
Additional IOCs
- Urls:
hxxp://169[.]254[.]170[.]2- AWS ECS endpoint probed by the payloadhxxp://127[.]0[.]0[.]1:40342- Azure MSI endpoint probed by the payloadhxxp://metadata[.]google[.]internal- GCP metadata endpoint probed by the payloadregistry.npmjs.org/-/npm/v1/oidc/token/exchange/package/- Endpoint used by the @cap-js/sqlite payload variant for OIDC token theft
- File Hashes:
35baf8316645372eea40b91d48acb067(MD5) - MD5 hash of the setup.mjs loader scripteb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb(SHA256) - SHA256 hash of an execution.js payload variant80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac(SHA256) - SHA256 hash of an execution.js payload variant
- File Paths:
.claude/settings.json- Backdoored Claude AI configuration file used for persistence.vscode/tasks.json- Backdoored VSCode configuration file used for persistencesetup.mjs- Injected loader script filenameexecution.js- Injected obfuscated payload filenametmp.987654321.lock- Lock file created during execution
- Command Lines:
- Purpose: Probe host to detect glibc vs. musl for downloading the correct Bun binary | Tools:
ldd| Stage: Execution |ldd --version - Purpose: Steal cached GitHub CLI token | Tools:
gh| Stage: Credential Access |gh auth token
- Purpose: Probe host to detect glibc vs. musl for downloading the correct Bun binary | Tools:
- Other:
OhNoWhatsGoingOnWithGitHub- Dead-drop key string used in GitHub commit search APIA Mini Shai-Hulud has Appeared- Repository description used for attacker-created exfiltration repositoriesctf-scramble-v2- Salt used in PBKDF2 key derivation for payload decryptionvirinchy48- GitHub user account observed hosting exfiltration repositories (e.g., gesserit-slig-510, kanly-sietch-425)